Bandwidth throttling in vulnerability scanning applications

ABSTRACT

Apparatus and methods are disclosed for implementing bandwidth throttling to regulate network traffic as can be used in, for example, vulnerability scanning and detection applications in a computer network environment. According to one embodiment, a method of routing network packets in a networked device having plural network interfaces combines applying traffic class and network interface throttling for marking network packets with a differentiated service code based on input received from a profiler application, throttling the bandwidth of network packets based on a threshold for a designated network interface for the packet, throttling the bandwidth of the bandwidth-throttled packets based on a threshold for its respective differentiated service code, and emitting network packets on each respective designated network interface.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a divisional of U.S. patent application Ser. No. 14/546,863, filed on Nov. 18, 2014, which claims the benefit of U.S. Provisional Application No. 61/906,322, filed Nov. 19, 2013, entitled “BANDWIDTH THROTTLING IN VULNERABILITY SCANNING APPLICATIONS.” The entire disclosure of U.S. Provisional Application No. 61/906,322 and U.S. patent application Ser. No. 14/546,863 is incorporated by reference herein for all purposes.

SUMMARY

Apparatus and methods are disclosed herein for bandwidth throttling implementations for network applications. For example, throttling of network traffic is often desirable in vulnerability scanning applications (e.g., in agentless vulnerability scanning applications using an appliance or in distributed agent-based vulnerability scanning applications). In one example of the disclosed technology, a combination of the Linux Traffic Control subsystem, Netlink, and iptables is used to throttle traffic for multiple processes across different network interfaces and application scans without the need for complex spaghetti code to keep track of how much traffic is being sent and without implementing manual throttling of packets. In other examples, including those based on non-Linux systems such as Windows, Mac OS X, Unix, or other suitable operating systems, modified or different mechanisms for throttling traffic are employed. In some examples, it is desirable to offload computational load for bandwidth throttling to the operating system kernel to provide a hands-off approach to bandwidth throttling while preserving scan accuracy, even in very low bandwidth constraint configurations.

The disclosed technology allows for throttling of network traffic at an application level (e.g., on a per-scan basis, in a vulnerability scanning application).

In one example of the disclosed technology, a computer-implemented method of routing network packets in a networked device having plural network interfaces by applying combining traffic class and network interface throttling includes marking one or more network packets with a differentiated service code, throttling the bandwidth of at least one of the network packets based at least in part on a threshold for a designated network interface for the at least one packet, thereby producing first throttled packets, throttling the bandwidth of at least one of the first throttled packets based at least in part on a threshold for the packet's respective differentiated service code, thereby producing second throttled network packets, and emitting network packets on the respective designated network interface for each of the second throttled network packets according to the throttled bandwidth.

In some examples, one or more computer-readable storage media storing computer-executable instructions that when executed by a device connected to a computer network, cause the networked device to perform the method. In some examples, the marking of the network packets is based on input received from a profiler process executing in application space on the networked device, and the throttling the network packets, the throttling the bandwidth-throttled packets, and the emitting network packets are performed by a kernel executing in privileged space on the networked device. In some examples, the method further includes sending network utilization feedback data to the profiler, the profiler being operable to adjust the rate that network packets are sent based on the network utilization feedback.

In another example of the disclosed technology, one or more computer-readable storage media storing computer-executable instructions that when executed by a device connected to a computer network, cause the networked device to perform a method including, based on input received from a device profiler application, designating one or more input network packets in a first set of packets with a code, determining a rate at which the first set of the network packets are transmitted based at least in part on a threshold associated with the code, thereby producing second throttled network packets, and transmitting the first set of network packets on the network according to the determined rate.

In another example of the disclosed technology, one or more computer-readable storage media storing computer-executable instructions for a device profiler configured to scan one or more target machines for vulnerabilities, instructions for a firewall configured to analyze packets of incoming network traffic and, emitting the incoming network traffic as marked network traffic, wherein the marked network traffic comprises one or more packets with an identifier indicating that the respective packet pertains to scan data from the device profiler, instructions for analyzing the marked network traffic, and based on the identifier, allocating bandwidth to packets of the marked network traffic, and instructions for transmitting the marked network traffic on a computer network, wherein the marked network traffic is transmitted at a rate selected based at least in part on the allocated bandwidth.

In some examples, the instructions for analyzing the marked network traffic are configured to be executed in privileged kernel space, and the instructions for the device profiler, the instructions for the firewall, the instructions for the transmitting the network traffic are configured to be executed in non-privileged user space.

This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter. The foregoing and other objects, features, and advantages of the invention will become more apparent from the following detailed description, which proceeds with reference to the accompanying figures.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a network diagram illustrating an arrangement of devices in a computer network, as can be used in some examples of the disclosed technology.

FIG. 2 is a network traffic diagram illustrating traffic flow throttling, as can be used in some examples of the disclosed technology.

FIG. 3 is a flow chart illustrating an example technique of bandwidth throttling, as can be used in some examples of the disclosed technology.

FIG. 4 illustrates a generalized example of a suitable computing environment as can be used with some examples of the disclosed technology.

DETAILED DESCRIPTION I. General Considerations

This disclosure is set forth in the context of representative embodiments that are not intended to be limiting in any way.

As used in this application the singular forms “a,” “an,” and “the” include the plural forms unless the context clearly dictates otherwise. Additionally, the term “includes” means “comprises.” Further, the term “coupled” encompasses mechanical, electrical, magnetic, optical, as well as other practical ways of coupling or linking items together, and does not exclude the presence of intermediate elements between the coupled items. Furthermore, as used herein, the term “and/or” means any one item or combination of items in the phrase.

The systems, methods, and apparatus described herein should not be construed as being limiting in any way. Instead, this disclosure is directed toward all novel and non-obvious features and aspects of the various disclosed embodiments, alone and in various combinations and subcombinations with one another. The disclosed systems, methods, and apparatus are not limited to any specific aspect or feature or combinations thereof, nor do the disclosed things and methods require that any one or more specific advantages be present or problems be solved. Furthermore, any features or aspects of the disclosed embodiments can be used in various combinations and subcombinations with one another.

Although the operations of some of the disclosed methods are described in a particular, sequential order for convenient presentation, it should be understood that this manner of description encompasses rearrangement, unless a particular ordering is required by specific language set forth below. For example, operations described sequentially may in some cases be rearranged or performed concurrently. Moreover, for the sake of simplicity, the attached figures may not show the various ways in which the disclosed things and methods can be used in conjunction with other things and methods. Additionally, the description sometimes uses terms like “produce,” “generate,” “display,” “receive,” “throttle,” “mark,” and “emit” to describe the disclosed methods. These terms are high-level abstractions of the actual operations that are performed. The actual operations that correspond to these terms will vary depending on the particular implementation and are readily discernible by one of ordinary skill in the art.

Theories of operation, scientific principles, or other theoretical descriptions presented herein in reference to the apparatus or methods of this disclosure have been provided for the purposes of better understanding and are not intended to be limiting in scope. The apparatus and methods in the appended claims are not limited to those apparatus and methods that function in the manner described by such theories of operation.

Any of the disclosed methods can be implemented as computer-executable instructions stored on one or more computer-readable media (e.g., non-transitory computer-readable media, such as one or more optical media discs, volatile memory components (such as DRAM or SRAM), or nonvolatile memory components (such as flash drives or hard drives)) and executed on a computer (e.g., any commercially available computer, including smart phones or other mobile devices that include computing hardware). Any of the computer-executable instructions for implementing the disclosed techniques, as well as any data created and used during implementation of the disclosed embodiments, can be stored on one or more computer-readable media (e.g., non-transitory computer-readable media). The computer-executable instructions can be part of, for example, a dedicated software application, or a software application that is accessed or downloaded via a web browser or other software application (such as a remote computing application). Such software can be executed, for example, on a single local computer (e.g., as an agent executing on any suitable commercially available computer) or in a network environment (e.g., via the Internet, a wide-area network, a local-area network, a client-server network (such as a cloud computing network), or other such network) using one or more network computers.

For clarity, only certain selected aspects of the software-based implementations are described. Other details that are well known in the art are omitted. For example, it should be understood that the disclosed technology is not limited to any specific computer language or program. For instance, the disclosed technology can be implemented by software written in C, C++, Java, or any other suitable programming language. Likewise, the disclosed technology is not limited to any particular computer or type of hardware. Certain details of suitable computers and hardware are well-known and need not be set forth in detail in this disclosure.

Furthermore, any of the software-based embodiments (comprising, for example, computer-executable instructions for causing a computer to perform any of the disclosed methods) can be uploaded, downloaded, or remotely accessed through a suitable communication means. Such suitable communication means include, for example, the Internet, the World Wide Web, an intranet, software applications, cable (including fiber optic cable), magnetic communications, electromagnetic communications (including RF, microwave, and infrared communications), electronic communications, or other such communication means.

II. Example Networking Environment for Implementing Embodiments of the Disclosed Technology

An example of a possible network topology (e.g., a client-server network) for implementing a bandwidth throttling in vulnerability scanning according to the disclosed technology is depicted in FIG. 1. As shown, a network diagram 100 illustrates a number of networked computing devices (e.g., laptops 110 and 111, desktop computers 112 and 113, touch screen tablets 114 and 115, and file servers 116 and 117). The computing devices can communicate with one or more central computers (e.g., scanning appliance(s) 120 and 121, and/or Vulnerability and Exposure (VnE) management server(s) 122 and 123). Each of the scanning appliances 120 and 121 can host one or more device profiler processes that can scan any of the computing devices 110-117 over a computer network. For example, in some examples, the scanning appliances 120 and 121 are configured as external Session Message Block (SMB or Samba) clients that send traffic to one or more of the VnE management servers 122 and/or 123. In other examples, some or all of the computing devices are configured to locally host profiler processes that send data to the VnE management servers. In some examples, the scanning appliances 120 and 121 and the management servers 122 and 123 are hosted on the same virtual and/or physical computing host.

The computing devices 110-117 can communicated with each other and the central computers 120-123 via a local area network (LAN) 130, the Internet network 135, a wide area network, cellular network, WiFi, and/or other suitable computing networks. The computing devices 110-117 can be, for example, computers running a browser, plug-in, or other software that communicates with one or more central computers via a computer network. The computing devices 110-117 and the central computers 120-123 can have computer architectures as shown in FIG. 4 and discussed in further detail below. The computing devices are not limited to traditional personal computers but can comprise other computing hardware configured to connect to and communicate with a network (e.g., smart phones or other mobile computing devices, servers, network devices, dedicated devices, and the like).

In the illustrated embodiment, the computing devices 110-117 are configured to communicate with one or more central computers 120-123 (e.g., using a cloud network or other client-server network). In certain implementations, the central computers 120-123 execute software for performing any of the disclosed vulnerability scanning, compliance and configuration control functionalities, for implementing any of the disclosed graphical user interfaces, and/or for computing any one or more of the intermediate or final values associated with the disclosed embodiments. The central computers 120-123 can transmit data to any of the computing devices (e.g., data to be displayed on a graphical user interface or web page at the computing devices). For example, the computing devices 110-117 can transmit a request for data to one or more central computers over a network (e.g., the LAN 130 or the Internet 135). In order to provide the data, the one or more central computers 110-117 can access data from the computing devices 120-123 (e.g., computing devices or other devices associated with assets in the IT infrastructure administered by the IT administrator), which can store various types of data used by the IT administrator. For example, the computing devices 110-117 may store device configuration data, compliance policy data, vulnerability scanning data, and/or other such data used by an IT compliance and configuration control tool. Alternatively, the one or more central computers 120-123 may themselves store the device configuration data, compliance policy, vulnerability scanning data, and other such IT data.

In some examples of the disclosed technology, the VnE management servers 122 and 123 serve as data repository and analysis engines for data received from one or more scanning appliances 120 and 121. The VnE management servers 122 and 123 can be configured in a passive mode, where connections from DP servers are received, but not initiated, by the VnE server. Data stored and analyzed by the VnE management server 122 includes alert configurations including user and system alert definitions, and vulnerability and attack data received from DP servers. In some examples, the VnE server 122 can be configured and viewed using a GUI or web browser interface. In some examples, communications to/from the VnE servers are secured using transport layer or other suitable security methods.

In some examples the central computers 120-123 (e.g., scanning appliances, VnE, and DP servers) are hosted on the same physical host, while in other examples, the central computers are hosted on different physical hosts. In some examples, virtualization technology is employed to host one or more of the central computers on the same physical host, but as different virtual machines.

The profiler processes hosted on, for examples, scanning appliances 120 and 121 include functionality for scanning a number of target devices for vulnerabilities and reporting the vulnerabilities to one or more VnE servers (e.g., servers 122 and 123). In some examples, clusters of scanning appliances each report scanning information to a different VnE server. For example, a first scanning appliance 120 can be clustered so that it communicates scan results only to its respective VnE Management Server 122, and second scanning appliance can be clustered so that it communicates scan results only to its respective VnE Management Server 123. In some examples, scanning appliances 120 and 121 are configured for extra security by, for example, booting from a secure, read-only storage device instead of a writeable internal hard drive storage device. The profiler processes can be configured to continually profile a number of devices according to for example, network address, device characteristics, or predetermined mapping. In some examples, the profiler process is executed on a host external to the devices being scanned, while in other examples, the profiler resides on the same physical host or even the same virtual host as one or more of the computing devices 110-117 being profiled by the DP server. The scanning appliance 121 can examine target hosts for applications running on the host, open network ports, or other variables contributing to a vulnerability assessment. As the target host scans are performed, the scanning appliance 121 analyzes the data and sends reports to its corresponding VnE management server 123. In some examples, the scanning appliance 121 and its respective VnE management server 123 are hosted on the same virtual and/or physical host.

In the illustrated embodiment, the computing devices are configured to communicate with one or more central computers (e.g., the scanning appliances 120 and 121 or the Vulnerability and Exposure (VnE) management servers 122 and 123). In certain implementations, the central computers execute software for performing some or all of the disclosed vulnerability scanning functionalities. For example, the central computers 120-123 can transmit data to any of the computing devices (e.g., initiating and conducting vulnerability scans) as well as receive data from any of the computing devices (e.g., receiving data and/or results of vulnerability scan on objects associated with the computing devices).

III. Example Bandwidth Throttling in Vulnerability Scanning

An exemplary technique of bandwidth throttling is illustrated in a network traffic diagram 200 shown in FIG. 2 and a flow chart 300 of FIG. 3. Such bandwidth throttling can be performed in, for example, in a networked computing environment such as that illustrated in the network diagram 100 of FIG. 1.

In some examples of the disclosed technology, vulnerability scans are throttled at the scan level. This means that a scan will be restricted to configured bandwidth constraints, even across different network interfaces. The scan bandwidth constraints are configured on a scan profile received from the VnE management server 125. Bandwidth constraints on a specific interface can be configured. For example, such constraints can be configured manually from a command line interface (CLI) or graphical user interface (GUI) provided by the scanning appliance 120. Any suitable combination of bandwidth constraints can be configured. Packets for a scan can be throttled based on the scan's bandwidth constraints, and also throttled at the scan's egress interface. As used herein, “throttling” refers to regulating the rate at which network packets are emitted or transmitted on a computer network. For example, network packets can be throttled to achieve a minimum or maximum rate of data transfer expressed in bytes per second or as a portion of available network bandwidth. Such throttling rates can be expressed as an instantaneous rate, or averaged over a long period of time (seconds, minutes, or hours).

An example of network traffic flow within a scanning appliance operating in a Linux operating system environment is shown in the network traffic diagram 200 of FIG. 2. As shown, the scanning appliance is executing a profiler application 210 in user/application space that offloads bandwidth throttling by sending network packets to a firewall 220 (e.g., iptables on Linux systems) that can mark packets before sending the packets to a Traffic Control (“tc” or TC) subsystem 230, which operates in privileged kernel space. As shown, the TC subsystem 230 includes a number of network interface queues (eth0, eth1, etc.), and can perform tasks including, for example, throttling based on an interface bandwidth limit, DSCP filtering, and class bandwidth limiting. The TC subsystem 230 is also operable to send feedback data to the Profiler 210 using a Netlink socket interface 235. While the examples discussed herein generally related to traffic control in reference to an exemplary Linux system, it will be readily understood by those of ordinary skill in the relevant art that the disclosed techniques and systems can be modified for deployment on other operating systems, for example, Windows, Mac OS X, BSD, Solaris, or other suitable operating systems.

The firewall 220 includes a module 222 that analyzes incoming packets from the Profiler 210 to determine whether the packets are being sent to a location designated exempt from throttling, for example, to a VnE server. For example, TCP/IP network packets can be analyzed for one or more fields, such as service type, protocol, destination address, or other suitable fields for determining that the packet destination is a server of a type that is to be unthrottled (e.g., a packet destined for a VnE server). If the module 222 determines that the packet is destined for an unthrottled server (e.g., a VnE server), then a firewall mark is added to the packet by a module 224 before being sent to the traffic control subsystem 230. Otherwise, the packet is not marked, but still is sent to the traffic control subsystem 230. While only traffic from the profiler 210 is explicitly shown coming into the firewall 220 of FIG. 2, it will be readily understood to one of ordinary skill in the art that non-VnE network traffic data from a plurality of different processes and hosts can also be analyzed and processed by the firewall 220.

In Linux-based implementations, the task of throttling packets can be offloaded to the Linux kernel, via use of the Traffic Control Subsystem 230. For scan-wide throttling, Traffic Control (TC) rules are created that check the Differentiated Service Code Point (DSCP) values of egress packets on Ethernet interfaces for “bandwidth class” values ranging from 1-63, each value being assigned to a different scan running on the Device Profiler (e.g., a networked vulnerability scanning appliance).

As shown in FIG. 2, the TC subsystem 230 includes a number of modules that traffic can pass through before being emitted at one or more network interfaces. Traffic from the firewall 220 is first added to a network queue corresponding to the outgoing interface assigned to the packet. The example TC subsystem 230 is shown configured for four Ethernet queues 240, labeled eth0 through eth3, each of which can store a number of network packets before sending to decision modules 242, which determine whether the packet has been marked with a firewall mark. In some examples, the decision modules evaluate the DSCP field to determine whether the packet has been marked for throttling. If the packet has not been marked for interface throttling exemption, it is passed to one of the interface bandwidth limit modules 244. As shown in FIG. 2, there is an interface bandwidth limit module 244 for each available network interface. For packets passed in to each of the interface bandwidth limit modules 244, a limit is applied to control the rate at which packets are passed through the TC subsystem. The queues 240 can be used to temporarily store packets, if, for example, the rate is limited by it corresponding interface bandwidth module.

The packets from both the interface bandwidth limit modules 244 and those that are bypassed because of the decision modules 242 are then passed to a number of DSCP filters 250. Each of the DSCP filters 250 analyzes the DSCP field for packets for the associated network interface and, for those packets that have non-zero DSCP field, sends the packet to a corresponding intermediate functional block queue 252. As shown in FIG. 2, each DSCP field values is associated with a separate ifb queue: ifb1, ifb2, etc. For packets that have a DSCP field value of zero, indicating that throttling is not being applied, the packets bypass the ifb queues 252 and pass directly to one of the network interfaces 260. Thus, the system allows packets with appropriate marking to bypass class bandwidth limiting.

Packets that have a non-zero DSCP field values are routed to a queue corresponding to the packet's DSCP field and temporarily stored. The queues are typically first-in first-out (FIFO) queues, although other suitable queuing mechanisms can be used. Data is read from the queues at a rate control by the queues corresponding class bandwidth limiting modules 254. Thus, as shown in FIG. 2, there are 63 IFB queues 252 and 63 class bandwidth-limiting modules 254, one for each possible DSCP field value. In implementations where a different packet field is used for routing, or the number of field values varies, the number of queues and limits can be adjusted.

Packets are then sent from the class bandwidth limiting modules 254 back to the corresponding network interface. As shown in FIG. 2, packets from each of the 63 modules 254 are routed to one of four network interfaces 260 (eth0 through eth3). In some examples, the network interfaces reset the DSCP field values for packets back to zero before transmitting the packet on a computer network 270. In this way, the DSCP field values are used internally by the traffic control subsystem, but remain transparent to the rest of the network. In some examples, the DSCP fields can be temporarily stored as packets are routed through the TC subsystem and then reapplied before sending on the network 270.

FIG. 3 is a flow chart illustrating an example method of bandwidth throttling, as can be performed in some examples of the disclosed technology. At process block 310, network packets are marked for throttling. Via the TC rules, any matching packets can be redirected to an intermediate functional block (IFB) interface, which contains the queuing discipline (qdisc) classes responsible for throttling packets based on a particular scan's specific bandwidth constraints. Since packet throttling is offloaded to the kernel, and there can be multiple scans running at once on a DP, each network packet can be marked so that the kernel knows how to throttle them. For example, the DSCP field in the IP packet header can be used to mark each packet with a value between 0 and 63. The firewall 220, as discussed above, can be used to mark packets using DSCP fields. By convention, a value of 0 in the DSCP field indicates that throttling is disabled for that particular packet, while values between 1 and 63 are used to indicate which IFB is appropriate for directing the packet. In some examples, other packet fields or conventions are used.

At process block 320, the bandwidth of network packets marked at process block 310 is throttled based at least in part on threshold for a designated network interface for the packets to produce first throttled packets. For example, a first network interface (e.g., eth0) can be configured to have a higher threshold (e.g., 5 Mbs/second) for throttling than a second network interface (e.g., eth1 can be assigned a lower threshold of 1 Mbs/second).

At process block 330, the bandwidth of the bandwidth throttled packets from process block 320 is further throttled based at least in part on a threshold for the differentiated service code to produce second throttled network packets.

Since packet throttling is offloaded to the kernel, and there can be multiple scans running at once on a DP, each network packet can be marked so that the kernel knows how to throttle them. For example, the DSCP field in the IP packet header can be used to mark each packet with a value between 0 and 63. For example, packets marked with a DSCP value of 0 are not throttled by the kernel, and any packets marked with a value between 1 and 63 are redirected to an appropriate IFB interface for throttling. Further, some scan classes (e.g., for higher-priority vulnerabilities) can be allotted a higher threshold for bandwidth throttling than other scan classes (e.g., for lower-priority vulnerabilities).

After being throttled, packets on the IFB interfaces are automatically placed back onto the network stack for the network interfaces (e.g., an Ethernet interface) to which they originally were routed. DSCP values of 0 are reserved for scans where throttling is disabled, and as such packets with DSCP values of 0 will not be redirected to IFB interfaces. For interface IP Table-based throttling, qdisc classes are placed directly on the Ethernet interfaces themselves, and so marking the DSCP field is unnecessary. Packets can be both throttled on Ethernet interface egress and again at an IFB interface (for scan-wide throttling).

At process block 340, the throttled network packets (e.g., from process block 320 and/or 330) are emitted on the respective designated network interface for each of the second throttled network packets. To ensure that packets leaving the profiler are not handled differently by other nodes between the profiler and target, TC rules on IFB interfaces set the DSCP values of packets back to 0 (or remove the DSCP field) when the packets are emitted onto the network.

At process block 350, network utilization feedback data is sent to the profiler, to allow the profiler to adjust the rate that network packets are sent. One issue presented when using the Linux kernel for bandwidth throttling is that the profiler lacks awareness of when the kernel is holding onto packets before sending that data out, for example, in the case of a fully saturated qdisc class. This means that any timeout timers that depend on getting data back in x amount of time after sending data out if a socket are essentially reduced in time if the kernel holds on to any of this data instead of sending it out immediately.

Dynamic “backing off” can be used to resolve this issue. In the Linux operating system, a profiler can be connected to the traffic control subsystem using an inter-process communication socket interface, for example, Netlink, so that both the IFB interface and Ethernet interface for the sending host are checked in order to determine whether or not any of the qdisc classes that network packets will traverse have data in their queues. By using an IPC socket interface, data can be communicated between processes, including between user-space and kernel-space processes. Data send points within the profiler can be modified to check these qdisc queues using Netlink before attempting to send data or start any timeouts. This technique of “backing off” at the data send points allows us to keep sending data out at the configured bandwidth constraints while preventing false negatives due to premature timeouts or kernel-dropped packets. Some vulnerability assessment tests will determine a false negative based on not receiving a response from the target within a timeout period. For example, only certain web servers may respond to a request on port number 80. If the request is delayed in the TC subsystem 230 beyond the timeout period, a false negative might be recorded. Therefore, the Profiler 210 can communicate with the Netlink socket interface 235 and delay sending data to the Firewall 220 until a time when the throughput through the TC subsystem 230 is improved, and/or increase the timeout period, to avoid reporting a false negative vulnerability.

The ability to configure a combination of bandwidth constraints by using the kernel to perform the actual bandwidth throttling facilitates the adding of new data send points, as the packets need only be marked with a corresponding DSCP value for scan throttling. Packets not marked with a DSCP value will automatically be throttled at the interface bandwidth limit, if one is configured. Using Netlink to obtain TC statistics allows data send points to determine if data is ready to be sent before attempting to send, which allows avoidance of false negatives by waiting for a time where it can be assured that data will be sent, before attempting to send it, and thus waiting until that time before starting any timeout timers.

In some examples, a firewall mark is applied to some but not all of the network packets prior to throttling. The firewall mark causes the interface bandwidth throttling to not occur for the firewall marked packets. This firewall marking is used in some examples to prevent throttling of traffic between the DP and VnE. Allowing users or network administrators to specify bandwidth constraints on an interface essentially also allows a customer to throttle traffic going between the VnE and DP. Since there can be a substantial amount of data sent between these two devices, throttling that traffic can have a negative impact on total scan time. In some examples in a Linux operating system environment, this can be resolved by marking traffic destined to the VnE's IP address using IP Tables and then later ignored by TC rules. Other traffic (e.g., vulnerability scan traffic) is not so marked, and the normal TC rules are applied to those network packets. In some examples, even the traffic between the VnE and DP is throttled on an interface, as specified by an additional parameter for configuring the interface throttling.

IV. Example Computing Environment for Implementing Embodiments of the Disclosed Technology

FIG. 4 illustrates a generalized example of a suitable computing environment 400 in which described embodiments, techniques, and technologies, including reporting agents and monitor servers, can be implemented. For example, the computing environment 400 can implement bandwidth-throttling implementations for a network vulnerability scanning applications, as described herein.

The computing environment 400 is not intended to suggest any limitation as to scope of use or functionality of the technology, as the technology may be implemented in diverse general-purpose or special-purpose computing environments. For example, the disclosed technology may be implemented with other computer system configurations, including hand held devices, multiprocessor systems, microprocessor-based or programmable consumer electronics, network PCs, minicomputers, mainframe computers, and the like. The disclosed technology may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote memory storage devices.

With reference to FIG. 4, the computing environment 400 includes at least one central processing unit 410 and memory 420. In FIG. 4, this most basic configuration 430 is included within a dashed line. The central processing unit 410 executes computer-executable instructions and may be a real or a virtual processor. In a multi-processing system, multiple processing units execute computer-executable instructions to increase processing power and as such, multiple processors can be running simultaneously. The memory 420 may be volatile memory (e.g., registers, cache, RAM), non-volatile memory (e.g., ROM, EEPROM, flash memory, etc.), or some combination of the two. The memory 420 stores software 480, images, and video that can, for example, implement the technologies described herein. A computing environment may have additional features. For example, the computing environment 400 includes storage 440, one or more input devices 450, one or more output devices 460, and one or more communication connections 470. An interconnection mechanism (not shown) such as a bus, a controller, or a network, interconnects the components of the computing environment 400. Typically, operating system software (not shown) provides an operating environment for other software executing in the computing environment 400, and coordinates activities of the components of the computing environment 400.

The storage 440 may be removable or non-removable, and includes magnetic disks, magnetic tapes or cassettes, CD-ROMs, CD-RWs, DVDs, or any other medium which can be used to store information and that can be accessed within the computing environment 400. The storage 440 stores instructions for the software 480 and vulnerability scanning rules and data, which can implement technologies described herein.

The input device(s) 450 may be a touch input device, such as a keyboard, keypad, mouse, touch screen display, pen, or trackball, a voice input device, a scanning device, or another device, that provides input to the computing environment 400. For audio, the input device(s) 450 may be a sound card or similar device that accepts audio input in analog or digital form, or a CD-ROM reader that provides audio samples to the computing environment 400. The output device(s) 460 may be a display, printer, speaker, CD-writer, or another device that provides output from the computing environment 400.

The communication connection(s) 470 enable communication over a communication medium (e.g., a connecting network) to another computing entity. The communication medium conveys information such as computer-executable instructions, compressed graphics information, video, or other data in a modulated data signal.

Some embodiments of the disclosed methods can be performed using computer-executable instructions implementing all or a portion of the disclosed technology in a computing cloud 490. For example, vulnerability scanning can be executed in the computing environment 430 (e.g., by a scanning appliance 120), while collection of vulnerability data can be performed on remote servers located in the computing cloud 490 (e.g., by a VnE management server 122).

Computer-readable media are any available media that can be accessed within a computing environment 400. By way of example, and not limitation, with the computing environment 400, computer-readable media include memory 420 and/or storage 440. As should be readily understood, the term computer-readable storage media includes the media for data storage such as memory 420 and storage 440, and not transmission media such as modulated data signals.

In view of the many possible embodiments to which the principles of the disclosed invention may be applied, it should be recognized that the illustrated embodiments are only preferred examples of the invention and should not be taken as limiting the scope of the invention. 

We claim:
 1. One or more computer-readable storage devices or memory storing computer-executable instructions that when executed by a computer, cause the computer to perform a method, the instructions comprising: instructions for a firewall that cause the firewall to: analyze packets of incoming network traffic and emit the incoming network traffic as marked network traffic, wherein the marked network traffic comprises one or more packets with a class identifier indicating that the respective packet pertains to scan data from a device profiler configured to scan one or more target machines for vulnerabilities, and wherein at least one of the packets, which is destined for a server that collects the scan data from the device profiler, is marked by the firewall with a firewall mark; instructions to analyze the marked network traffic, and based on the class identifier, allocating bandwidth to packets of the marked network traffic; and instructions to transmit the marked network traffic on a computer network, wherein the at least one of the packets marked with the firewall mark is transmitted to said server at a rate that is unrestricted by the allocated bandwidth, and remaining packets of the marked network traffic are transmitted at a rate selected based at least in part on the allocated bandwidth.
 2. The one or more computer-readable storage devices or memory of claim 1, wherein the instructions to analyze the marked network traffic are configured to be executed in privileged kernel space.
 3. The one or more computer-readable storage devices or memory of claim 1, wherein the instructions for the firewall and the instructions to transmit the marked network traffic are configured to be executed in non-privileged user space.
 4. The one or more computer-readable storage devices or memory of claim 1, further comprising instructions to analyze the marked network traffic, and to further allocate bandwidth to the packets of marked network traffic based at least in part on a network interface to which the marked network traffic is assigned.
 5. The one or more computer-readable storage devices or memory of claim 1, further comprising instructions to send messages to the device profiler indicating the bandwidth allocated to the marked network traffic.
 6. The one or more computer-readable storage devices or memory of claim 1, further comprising instructions to remove the class identifier before transmitting the marked network traffic on a computer network.
 7. The one or more computer-readable storage devices or memory of claim 1, wherein the incoming network traffic includes data for the device profiler scan, and further comprising instructions that cause the device profiler to reduce a rate at which the device profiler is configured to scan at least one of the target machines based at least in part on the rate at which network traffic is transmitted on the computer network.
 8. A method of routing network packets, the method comprising: scanning one or more target machines for vulnerabilities; based on an analysis of incoming network traffic, marking packets of the incoming network traffic and emitting marked packets, the marked packets comprising one or more packets with a class identifier indicating that the respective packet pertains to at least one of the vulnerabilities, at least one of the packets, which is destined for a server that collects data from the scanning, is marked with a firewall mark; allocating bandwidth to the marked packets based on the class identifier; and transmitting the marked packets on a computer network, wherein the at least one of the packets marked with the firewall mark is transmitted to said server at a rate that is unrestricted by the allocated bandwidth, and remaining packets of the marked packets are transmitted at a rate selected based at least in part on the allocated bandwidth.
 9. The method of claim 8, wherein the analysis on the marked packets is executed with a process executed by a processor in non-privileged kernel space, and the allocating bandwidth is executed with a process executed by a processor in privileged kernel space.
 10. The method of claim 8, wherein the allocating bandwidth to the marked packets is based at least in part on a network interface to which a respective one of the marked packets is assigned.
 11. The method of claim 8, further comprising removing the class identifier before the transmitting the marked packets on the computer network.
 12. The method of claim 8, further comprising sending messages to a device profiler indicating the bandwidth allocated to the marked packets.
 13. The method of claim 12, wherein: the device profiler is configured to scan at least one of the target machines based at least in part on a rate at which network traffic is transmitted on the computer network; and the incoming network traffic includes data for configuring a device profiler scan performed by the device profiler.
 14. An apparatus, comprising: one or more processors; a first physical network interface and a second physical network interface; and memory or storage devices storing computer-executable instructions that when executed by the processors, cause the apparatus to perform a method, the method comprising: scanning one or more target machines for vulnerabilities; based on an analysis of incoming network traffic, marking packets of the incoming network traffic and emitting the incoming network traffic as marked network traffic, wherein the marked network traffic comprises one or more packets with a class identifier indicating that the respective packet pertains to at least one of the vulnerabilities, at least one of the packets, which is destined for a server that collects data from the scanning, is marked with a firewall mark; allocating bandwidth to packets of the marked network traffic based on the class identifier; and transmitting the marked network traffic via the first physical network interface or the second physical interface, wherein the at least one of the packets marked with the firewall mark is transmitted to said server at a rate that is unrestricted by the allocated bandwidth, and remaining packets of the marked network traffic are transmitted at a rate selected based at least in part on the allocated bandwidth.
 15. The apparatus of claim 14, wherein the one or more processors execute at least the computer-executable instructions for marking packets in non-privileged user space, and execute at least the computer-executable instructions for allocating bandwidth in privileged user space.
 16. The apparatus of claim 14, wherein the method further comprises allocating the bandwidth to the packets of marked network traffic based at least in part on a network interface to which the marked network traffic is assigned.
 17. The apparatus of claim 14, wherein the method further comprises sending messages to a device profiler indicating the bandwidth allocated to the marked network traffic.
 18. The apparatus of claim 14, wherein the method further comprises removing the class identifier before the transmitting the marked network traffic. 